In today's digital world, information systems and their contents are among the most valuable of an organization's assets. Every year organizations spend significant amounts of money to protect their data from unauthorized access. Simultaneously, organizations have an overarching business requirement to share information with their partners, customers, suppliers, and even in some cases competitors and adversaries. This requires authentication.
The greatest value in authentication is when it forms the basis for enforcing access control rules. That is, in order for a system to determine what a subject can do the system must first ascertain who the subject is.
Traditional authentication systems generally presume a single authentication source and type. For example, in Kerberos the authentication source is a trusted key distribution center (KDC) and the authentication type is user IDs with passwords. [Version five of Kerberos supports initial authentication based on public keys, but a high percentage of commercial implementations of Kerberos authenticate based on a user ID and a password.] Another example is the public key infrastructure (PKI) system. Here the authentication source is a certificate authority (CA) and the authentication type is challenge/response. While both Kerberos and PKI permit multiple authentication sources, these authentication sources must be closely coupled. Often, this translates to complex trust relationships between the sources of authentication, which leads to solutions that are operationally infeasible and economically cost-prohibitive.
An emerging authentication system, and one which has particular importance later in this discussion is the secure remote password (SRP) protocol. In the words of SRP's advocates, inventor Tom Wu and Stanford University, “it solves the problem of authenticating clients to servers securely, in cases where the client must memorize a small secret (like a password) and carries no other secret information, and where the server carries a verifier which allows it to authenticate the client but which, if compromised, would not allow someone to impersonate the client.” But SRP, like traditional authentication systems, also presumes a single authentication source and type.
A practical view of inter- and intra-organization communication reveals that there can never be a single authentication type. In fact, according to a report published in February 2001 by the Giga Group, companies will be supporting multiple authentication types, such as passwords, tokens, certificates and smart cards. Therefore, security architectures should include a single infrastructure for managing all of the authentication types, rather than a separate infrastructure for each. Even if there someday is a single authentication type (e.g. biometrics), there will always be multiple authentication sources, each having administrative control over a set of subjects.
It follows that information systems that seek to enforce access control must be prepared to accept authentication information from any number of sources. Indeed, key criteria for enforcing access control include the exact source and type of authentication. In a practical model the many authentication sources need to form a federation, each of whose members can ascertain the authenticity of a set of subjects.
What is needed is a technology that permits organizations to leverage authentication sources that belong to themselves, or to their customers, partners, suppliers, or any other third party. We can term such a technology a Federated Authentication Service Technology (FAST), and define its goal to be to enable organizations to quickly implement their business relationships through highly secure information systems.